Three Pillars for Operationalizing Cyber Risk Detection, Prevention, and Response

Breaking down silos created by individual security products and streamlining collaboration between security and IT operations remains the biggest cyber risk management challenge facing organizations. This finding is based on feedback from leading security executives during a recent multi-city tour organized by the CISO Executive Network. The biggest concerns for security practitioners in defending against cyber-attacks are centered in three core areas: Identification, Prioritization, and Orchestration of Remediation. Their ultimate stated objective is to operationalize cyber risk management and implement a pro-active, rather than reactive, approach to cyber risk detection, prevention, and response.

Organizations face an uphill battle when it comes to cyber security, as the attack surface they have to protect has grown significantly and is expected to balloon even further. While it was sufficient in the past to focus on network and endpoint protection, nowadays applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a broadly extended attack surface. According to the 2015 Global Risk Management Survey, 84% of cyber-attacks today target the application layer and not network layer, requiring a more holistic approach to cyber security.

This “wider and deeper” attack surface only adds to the existing problem of how to manage the volume, velocity, and complexity of data generated by the myriad of IT and security tools in an organization’s network. The feeds from these disconnected systems must be analyzed, normalized, and remediation efforts prioritized. The more tools, the more difficult the challenge. And the broader the attack surface, the more data to analyze. This approach requires legions of staff to comb through the huge amount of data to connect the dots and find latent threats. These efforts can take months, during which time attackers can exploit vulnerabilities and extract data.

This situation is being aggravated by the fact that, according to ISACA, a global IT association, the industry is facing a shortfall of a million security professionals globally. For most organizations, the prospects of hiring the staff needed to aggregate, normalize, and analyze the vast amount of data needed to assess cyber risk exposures are slim.

Breaking down existing silos and automating traditional security operations tasks with the help of technology has therefore become a force-multiplier for supplementing scarce cyber security operations talent.

To successfully operationalize cyber security practices, progressive organizations are turning to new emerging technology that serves as an aggregation and orchestration layer that sits on top of their existing IT and security tools, and assists in the Identification, Prioritization, and Orchestration of Remediation of cyber risks.

Let’s take a deeper look at each of these three pillars:

Identification

In order to understand what remediation actions are needed to minimize an organization’s cyber risk exposure, identification is the first step. With many organizations overwhelmed with the volume, velocity, and complexity of internal security data, it has become crucial to streamline the identification process. This step has become the Achilles heel of day-to-day security operations for many companies.

The use of human-interactive machine learning engines can automate the aggregation of data across different data types; map assessment data to compliance requirements; and normalize the information to rule out false-positives, duplicates, and enrich data attributes.

Prioritization

In the past, the majority of organizations primarily focused on their internal security posture when it comes to cyber security and therefore had a difficult time prioritizing their remediation actions based on business criticality. By leveraging emerging technology, organizations can place internal security intelligence, external threat data, and business criticality into context to derive a holistic view of risk posture across networks, applications, mobile devices, etc. In this way, security teams can determine what imminent threats they face from cyber adversaries, and which ones present the highest threat to the business.

Orchestration of Remediation

Increasing collaboration between security teams which are responsible for identifying security gaps and IT operations teams which are focused on remediating them, continues to be a challenge for many organizations. Using the cyber risk management concept as a blueprint, it’s possible to implement automated processes for pro-active security incident notification and human-interactive loop intervention. By establishing thresholds and pre-defined rules, organizations can also orchestrate remediation actions to fix security gaps. Meanwhile, cyber risk management provides a way to measure the effectiveness of remediation actions and ensure risks have been successfully eliminated.

To increase remediation effectiveness, emerging cyber risk management tools also provide playbooks that include step-by-step instructions on how to tackle the most critical vulnerabilities. The intelligence-driven cyber risk management model also mandates a closed-loop remediation process, which assures that a ticket is only closed once the effectiveness of a patch has been revalidated. Unfortunately, many organizations close out tickets as soon as a patch is applied without testing whether it actually fixed the problem. This leaves them vulnerable to a big blind spot if the patch failed.

By implementing these three main pillars, organizations can operationalize their cyber security practices to shorten time-to-detection and ultimately, time-to-remediation of cyber threats.

Torsten George is strategic advisory board member at vulnerability risk management software vendor, NopSec. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskSense, RiskVision (formerly Agiliance), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree.